Your organisation must provide the service user with the ability to logout from the application, online service, or session following an initial authentication by RealMe service, and this must close the user’s session. This should be in the top right hand header to ensure a consistent user experience.
The label should ideally display “logout”, in order to provide consistency for customers. In some instances, an alternate form such as log out or sign-out may be used, where this is embedded in the underlying application software.
The Password Standard (external link) specifies there must be an inactivity logout from the online service for government agencies and for security purposes, this will apply to all integrated organisations.
Note that some actions, such as filling in forms, may not be detected as activity, so services need to be appropriately designed to avoid users timing out in these circumstances.
Your organisation is responsible for providing appropriate functionality to log out a customer after 15 minutes of inactivity.
For most government online services, there should be a function for users to access RealMe functions to manage their login details in your organisation’s application. This function must only link to the home page of www.realme.govt.nz
A user who has been successfully logging in may not necessarily know how to access the RealMe management functionality from the online service. Your organisation must provide returning users with the RealMe Manage box. The placement of the link may be determined by your organisation – this function could be in the menu or some other reasonably accessible location. Many organisations currently integrated with the RealMe service have used their user profile page as the most appropriate location.
As with the login components, there are three different versions available to cater for different website background colours and blue is the preferred default.
If you can control the format of your organisation’s application pages, then the RealMe ‘Manage’ box must be used as the means to redirect the user to the RealMe manage functions. The user will be required to log in if they want to access their login history or edit their login details.
If your organisation cannot fully control the format of your landing page and application then a basic link (pointing to www.RealMe.govt.nz (external link) and to the Manage page) must be implemented as below:
About RealMe - Manage login
If your online service uses a moderate strength login, consider if more information should be communicated to users. The idea of extra security and RealMe codes (TXT, token and Google Authenticator) will not be familiar to all users.
When a user is redirected from your agency to the RealMe login service to be authenticated at moderate strength, they will be helped through the process of adding a mobile phone for code by TXT if they only have a basic login with username and password.
The basic information for moderate strength users is:
Information about RealMe codes is available on the RealMe website at www.realme.govt.nz. Information is provided to RealMe token users when the token is issued.
Where a token is to be used, your organisation’s registration process must ask users if they already have a RealMe token they can use for access to your service. If so, your organisation must not request RealMe to issue the user with an additional token.
Where the Google Authenticator application is to be used the user must already have enabled RealMe code by TXT and their mobile device must have the application downloaded. Users should also be familiar with how the application works. More information is available on www.realme.govt.nz.
Your organisation will need to associate a user with their user record if you register users before they login for the first time, or you may need to ensure that the person who initiated the online application is the person who completed the evidence of identity process.
Your business requirements may allow an activation code to be used; if so, this code must satisfy the relevant sections of the Password Standard.